AWS IAM Policies
JS
S
JSONThis configuration is to be applied on the Trusted Relationships of an IAM Role. It will allow execution permissions to run the most common services on AWS (egg. creating a CloudWatch event). https://console.aws.amazon.com/iam/home?region=eu-west-1#/roles/mailer https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SQS.html#sendMessage-property
1# Role Access Control Policy (minimum workable config)
2{
3 "Version": "2012-10-17",
4 "Statement": [
5 {
6 "Effect": "Allow",
7 "Principal": {
8 "Service": [
9 "events.amazonaws.com",
10 "lambda.amazonaws.com",
11 "apigateway.amazonaws.com"
12 ]
13 },
14 "Action": "sts:AssumeRole"
15 }
16 ]
17}
18
19# Send Email Policy (via AWS SES)
20{
21 "Version": "2012-10-17",
22 "Statement": [
23 {
24 "Effect": "Allow",
25 "Action": [
26 "ses:SendEmail",
27 "ses:SendRawEmail"
28 ],
29 "Resource": "*"
30 }
31 ]
32}
33
34# Serverless Framework
35{
36 "Statement": [
37 {
38 "Action": [
39 "apigateway:*",
40 "cloudformation:CancelUpdateStack",
41 "cloudformation:ContinueUpdateRollback",
42 "cloudformation:CreateChangeSet",
43 "cloudformation:CreateStack",
44 "cloudformation:CreateUploadBucket",
45 "cloudformation:DeleteStack",
46 "cloudformation:Describe*",
47 "cloudformation:EstimateTemplateCost",
48 "cloudformation:ExecuteChangeSet",
49 "cloudformation:Get*",
50 "cloudformation:List*",
51 "cloudformation:UpdateStack",
52 "cloudformation:UpdateTerminationProtection",
53 "cloudformation:ValidateTemplate",
54 "dynamodb:CreateTable",
55 "dynamodb:DeleteTable",
56 "dynamodb:DescribeTable",
57 "dynamodb:DescribeTimeToLive",
58 "dynamodb:UpdateTimeToLive",
59 "ec2:AttachInternetGateway",
60 "ec2:AuthorizeSecurityGroupIngress",
61 "ec2:CreateInternetGateway",
62 "ec2:CreateNetworkAcl",
63 "ec2:CreateNetworkAclEntry",
64 "ec2:CreateRouteTable",
65 "ec2:CreateSecurityGroup",
66 "ec2:CreateSubnet",
67 "ec2:CreateTags",
68 "ec2:CreateVpc",
69 "ec2:DeleteInternetGateway",
70 "ec2:DeleteNetworkAcl",
71 "ec2:DeleteNetworkAclEntry",
72 "ec2:DeleteRouteTable",
73 "ec2:DeleteSecurityGroup",
74 "ec2:DeleteSubnet",
75 "ec2:DeleteVpc",
76 "ec2:Describe*",
77 "ec2:DetachInternetGateway",
78 "ec2:ModifyVpcAttribute",
79 "events:DeleteRule",
80 "events:DescribeRule",
81 "events:ListRuleNamesByTarget",
82 "events:ListRules",
83 "events:ListTargetsByRule",
84 "events:PutRule",
85 "events:PutTargets",
86 "events:RemoveTargets",
87 "iam:AttachRolePolicy",
88 "iam:CreateRole",
89 "iam:DeleteRole",
90 "iam:DeleteRolePolicy",
91 "iam:DetachRolePolicy",
92 "iam:GetRole",
93 "iam:PassRole",
94 "iam:PutRolePolicy",
95 "iot:CreateTopicRule",
96 "iot:DeleteTopicRule",
97 "iot:DisableTopicRule",
98 "iot:EnableTopicRule",
99 "iot:ReplaceTopicRule",
100 "kinesis:CreateStream",
101 "kinesis:DeleteStream",
102 "kinesis:DescribeStream",
103 "lambda:*",
104 "logs:CreateLogGroup",
105 "logs:DeleteLogGroup",
106 "logs:DescribeLogGroups",
107 "logs:DescribeLogStreams",
108 "logs:FilterLogEvents",
109 "logs:GetLogEvents",
110 "logs:PutSubscriptionFilter",
111 "s3:CreateBucket",
112 "s3:DeleteBucket",
113 "s3:DeleteBucketPolicy",
114 "s3:DeleteObject",
115 "s3:DeleteObjectVersion",
116 "s3:GetObject",
117 "s3:GetObjectVersion",
118 "s3:ListAllMyBuckets",
119 "s3:ListBucket",
120 "s3:PutBucketNotification",
121 "s3:PutBucketPolicy",
122 "s3:PutBucketTagging",
123 "s3:PutBucketWebsite",
124 "s3:PutEncryptionConfiguration",
125 "s3:PutObject",
126 "sns:CreateTopic",
127 "sns:DeleteTopic",
128 "sns:GetSubscriptionAttributes",
129 "sns:GetTopicAttributes",
130 "sns:ListSubscriptions",
131 "sns:ListSubscriptionsByTopic",
132 "sns:ListTopics",
133 "sns:SetSubscriptionAttributes",
134 "sns:SetTopicAttributes",
135 "sns:Subscribe",
136 "sns:Unsubscribe",
137 "states:CreateStateMachine",
138 "states:DeleteStateMachine"
139 ],
140 "Effect": "Allow",
141 "Resource": "*"
142 }
143 ],
144 "Version": "2012-10-17"
145}Created on 11/1/2017